4 REGISTRATION 1. Introduction Eskom Holdings Limited (Eskom) has a responsibility to the country to ensure that sustainable development becomes a reality. Eskom therefore plays a major role in accelerating growth in the South African economy by providing a high-quality supply of electricity to satisfy the needs of the country. In order to deliver on their strategic objectives, including quality and continuity of electricity supply, capacity expansion and funding and financial resourcing, Eskom will make use of technology solutions in the electronic environment including the Internet and Information Systems. Eskom needs to provide their employees, contractors, suppliers and clients with a secure electronic environment to facilitate the exchange of information and documents, electronic communications, and a secure user community. Eskom will preserve high levels of confidentiality and integrity in this public medium, and align with the regulations and provisions of the Electronic Communications and Transactions Act, by choosing to use an internationally established standard in secure communication, namely, the Entrust Public Certification Services. The Certification Services will be managed for Eskom by the Certificate Authority who is signed into the trust hierarchy of the Entrust Root Certification Authority. The terms contained in this Charter are subject to the terms and conditions contained in the Certification Practice Statement (CPS). Combined, this Charter and the CPS specify the digital certification process and provide the required trust in Eskom as a digital certificate issuer. All persons are required to adhere to the terms and conditions contained in the CPS as well as any other requirements imposed by Eskom that do not conflict with the CPS. 2. Scope This document is part of Eskom s Information Security Policy and is applicable to Eskom as well as to all parties taking part in the Eskom digital certification process. Eskom s Information Risk Management is the final authority on all Eskom IT related security within the Eskom sphere of IT operations. 3. Appointment appoints Eskom as a Registration Authority (-RA) to: 1. Accept applications for Eskom Certificates. 2. Perform authentication of identities and verification of information submitted by applicants when applying for the issuance of a digital certificate by the CA in terms of the provisions of this Charter, which has been approved by the Policy Authority. Page 4 of 11

5 REGISTRATION 3. Where such authentication and verification is successful, submit the request to the CA, in accordance with the provisions of this Charter and the CPS. The -RA is appointed exclusively for the purposes of authenticating the identity and verifying supporting and ancillary information of applicants (new certificates) or subscribers (certificate revocations) using the services provided by Eskom. 4. Document Name and Publication This document is called the Eskom Registration Authority Charter. The latest version of the Charter may be accessed at the website https://www.lawtrust.co.za/repository. 5. Applicant and Subscriber In this Charter a natural person applying for an Eskom Certificate shall be described as an applicant until the application for the Eskom Certificate has been granted. Once an Eskom Certificate has been issued the natural person to whom it has been issued shall be referred to as a subscriber. 6. Domain of Use (Eligibility for Certification) Eskom employees can be digitally certified under the following conditions: 1. The applicant has an Eskom Employee Number. 2. The applicant has a valid Eskom account. 3. The applicant has a cellular phone number. 4. The applicant is in good standing with Eskom. 5. The applicant is fully aware of the responsibilities regarding the care and use of digital certificates and keys (as contained in the CPS, this Charter and any other Eskom governance policies). 7. Purpose of Certification Digital certification is to be used to provide the subscribers with trusted identity credentials for, amongst other uses: 1. Secure Digitally sign documents or transactions. Page 5 of 11

6 REGISTRATION The above will ensure authentication, authorisation, privacy, message integrity and non-repudiation. The subscriber may only use the Eskom Certificate for legitimate business purposes. An Eskom Cost Centre Manager or Divisional Information Manager will determine if an Eskom employee is eligible to be issued an Eskom Certificate. 8. Ownership of Charter Eskom s Information Risk Management is responsible for the upkeep of this Charter. Changes to this Charter are to be authorised by Eskom s Information Risk Manager and approved by the Policy Authority. Eskom s Information Risk Management takes full responsibility for the upkeep and content of this Charter, but limits its liability to the use of this Charter as described in the CPS, this Charter and any other Eskom governance policies. The day to day business operations related to certificate lifecycle would be executed by Eskom s Corporate Information Management. The technical operations related to certificate lifecycle would be executed by Eskom s Outsourced ICT Service Provider. 9. Private Key Infrastructure Hierarchy The trust hierarchy is as follows: ٠۰ Entrust.net Secure Server Certification Authority Root Certification Authority (RCA) ٠۰ LAWtrust CA Local Certification and Issuing Authority (ICA) ٠۰ -RA Local Registration Authority (LRA) The root key hierarchy is as follows: ٠۰ Entrust.net Secure Server Certification Authority ROOT CA ٠۰ LAWtrust CA (Eskom Certificates to be signed by this CA) ISSUING CA 10. Certificate Content ٠۰ Common Name (First Name and Surname) Page 6 of 11

7 REGISTRATION ٠۰ Eskom Employee Number ٠۰ Eskom address ٠۰ Issuing Authority: LAWtrust CA ٠۰ Organisation: Eskom Holdings Limited 11. Application for an Eskom Certificate The -RA shall be entitled to accept and process applications for natural persons for the issue of an Eskom Certificate. As a minimum the -RA shall require from the natural person applicant: ٠۰ A duly completed Eskom Certificate Application Form signed by the Eskom Line Manager and approved by an Eskom Divisional/Regional Information Manager. ٠۰ A duly completed and signed Eskom Subscriber Agreement. ٠۰ Copy of the applicant s ID, Passport or Driver s License. The -RA shall retain the application together with all of the documentation relevant to the authentication of the identity of the applicant as well as the verification of supporting information centrally and securely in the Eskom Corporate Archive, in conformance with the requirements of the Policy Authority, for a period of 3 (three) years after the expiry or revocation of the Eskom Certificate. 12. Advising on the Outcome of the Application If the application is refused the -RA shall give the applicant notice of the refusal by the -RA to issue a certificate to the applicant. The notice shall be addressed to the address provided in the application, failing which in the manner deemed most expedient by the -RA and shall provide the reasons for the refusal. If the application is granted the -RA within 10 (ten) days of the receipt of the application by the -RA, will advice the applicant via at the address provided in the application. Page 7 of 11

8 REGISTRATION 13. Process of Request Verification Duly appointed Eskom Divisional/Regional Information Managers, who falls under Eskom Information Management, or Help Desk Managers will: 1. Receive a request (Eskom Certificate Application Form), which has been authorised by a Line Manager. 2. Physically verify the applicant s identity with face-to-face verification against the user s ID, Passport or Driver s License and the information in the submitted Eskom Application Form. 3. Request the certificate applicant to sign an Eskom Subscriber Agreement. 4. Approve the applicant s certificate application. 14. Process of Enrolment Online electronic enrolment will be done and the following enrolment fields are compulsory: 1. Common Name (First name & surname) (CN) 2. Eskom Employee Number (Serial Number) 3. Eskom Address (E) 4. Eskom Holdings Limited (O) The -RA Certificate Administrator, who falls under the authority of Eskom s Information Management, will perform the following steps to issue a certificate: 1. Receive the applicant s approved certificate application form. 2. Register the subscriber and create the reference code and authorisation code on the Certificate Management System. 3. Inform the subscriber via , at the address supplied on the Eskom Application Form, that a certificate has been issued. This will contain the reference code will be required to initiate the download of the certificate. The authorisation code that is required to complete the download of the certificate will be sent via SMS to the cell number provided on the Eskom Application Form. 4. Create and send the SMS and containing the relevant information to the subscriber. 5. The -RA shall, if required by the subscriber, provide assistance to the subscriber in the activation of the Eskom Certificate. Page 8 of 11

9 REGISTRATION 15. Certificate Use Verification ٠۰ The certificate validity can be verified in the CRL [website: ٠۰ The CRL profile will be a full CRL. ٠۰ The certificate is valid for a maximum period of one year from date of issue. 16. Acceptance of Certificate After the issuance of the Eskom Certificate and notification addressed to the subscriber, the subscriber shall check that the content of the Eskom Certificate is correct. Unless notified to the contrary by the subscriber of any inaccuracies in the Eskom Certificate, the Eskom Certificate shall be deemed to have been accepted by the subscriber and the information contained in the Eskom Certificate deemed to be accurate. 17. Revocation of Certificates Eskom Certificates may be revoked under authority from the Eskom s Divisional/Regional Information Manager or a subscriber s Eskom Line Management under the following circumstances: 1. Subscriber s request. 2. Subscriber s formal relationship with Eskom ends. 3. Subscriber s role change in Eskom (certificate requirement no longer necessary). 4. Any changes in information contained in the Eskom Certificate issued to the subscriber. 5. Breach by subscriber of any terms of the CPS or the Eskom Subscriber Agreement entered into with the subscriber. 6. Loss, compromise, or suspected compromise, of a subscriber s private key or workstation. 7. Issue or use of the certificate not in accordance with the CPS. 8. The CA or Entrust CA expires. 9. Any other reason that the CA or the -RA reasonably believes may affect the integrity, security or trustworthiness of an Eskom Certificate. Page 9 of 11

10 REGISTRATION 18. Revocation Processes An Eskom Certificate Revocation Request may be submitted by a subscriber, the -RA or the LAWtrust CA if any of the above occurs. The Eskom Divisional/Regional Information Manager or subscriber s Line Management shall authenticate a request for revocation of an Eskom Certificate and upon verification send a revocation request to the Eskom RA who will generate a revocation request to the LAWtrust CA. The LAWtrust CA shall within 48 hours of receiving a revocation request, post the serial number of the revoked Eskom Certificate to the CRL in the repository. The Eskom Certificate Administrators shall make a commercially reasonable effort to notify the subscriber by if the subscriber s Eskom Certificate is revoked. Revocation of an Eskom Certificate shall not affect any of the subscriber s contractual obligations under the CPS or the Eskom Subscriber Agreement entered into by the subscriber. 19. Eskom Certificate Suspension The -RA may suspend an Eskom Certificate if: 1. The subscriber is not in good standing with the -RA or LAWtrust CA. 2. The subscriber fails to adhere to the provisions of the CPS or the Eskom RA Charter. 3. Temporary suspension of the subscriber s role that requires the use of an Eskom Certificate. The Eskom Divisional/Regional Information Manager may request the LAWtrust CA to suspend an Eskom Certificate without prior notice to the subscriber. The -RA shall make a commercially reasonable effort to notify the subscriber of the suspension by sending an to the address provided in the certificate application. 20. Eskom Certificate Annual Renewal The Eskom Certificate will be renewed annually on the approach of the expiry date for the certificate. This renewal is an automated process (for active certificates that are not revoked or suspended) and will require no interaction from the subscriber. Page 10 of 11

11 REGISTRATION RA Annual Audit The -RA shall be audited once per calendar year for compliance with the practices and procedures set out in this Charter and the CPS. If the results of an audit report recommend remedial action, the -RA shall initiate corrective action within 30 (thirty) days of receipt of such audit report. 22. References 1. All Eskom Related Information Security Policies 2. ECTA (Electronic Communications and Transactions Act No.25 of 2002) 3. ISO 17799:2005 & 27001:2005 Information Technology Code of Practice for Information Security Management 4. Eskom Certificate Application Form 5. Eskom Subscriber Agreement 6. Certificate Practices Statement (https://www.lawtrust.co.za/repository) Page 11 of 11

Certification Practice Statement March 2009 1. Overview 1.1 What is a Certification Practice Statement? A certification practice statement is a statement of the practices that a Certification Authority

Equens Certificate Policy WebServices and Connectivity Final H.C. van der Wijck 11 March 2015 Classification: Open Version 3.0 Version history Version no. Version date Status Edited by Most important edit(s)

Terms of Service - YOUSIGN SAS - SIGN2 CA 1- Introduction 1.1 General presentation This document defines the general conditions of use of the certificates issued in agreement with the digital signature

SYMANTEC NON-FEDERAL SHARED SERVICE PROVIDER PKI SERVICE DESCRIPTION I. DEFINITIONS For the purpose of this Service Description, capitalized terms have the meaning defined herein. All other capitalized

Application ID Number (For Official Use only) APPLICATION FOR DIGITAL CERTIFICATE Instructions: 1. Please fill the form in BLOCK LETTERS ONLY. 2. All fields are mandatory. 3. Present one (1) copy and the

Comodo Certification Practice Statement Notice: This CPS should be read in conjunction with the following documents:- * LiteSSL addendum to the Certificate Practice Statement * Proposed Amendments to the

TrustAssured Service Policy (PKI) Disclosure Statement Version 1.1 1. Contact Information Enquiries or other communications about this statement should be addressed to: The Royal Bank of Scotland TrustAssured

CERTIMETIERSARTISANAT and C@RTEUROPE ELECTRONIC SIGNATURE SERVICE SUBSCRIPTION CONTRACT SPECIFIC TERMS AND CONDITIONS Please fill in the form using BLOCK CAPITALS. All fields are mandatory. 1 1. SUBSCRIBER

CA Certificate Policy SCHEDULE 1 to the SERVICE PROVIDER AGREEMENT This page is intentionally left blank. 2 ODETTE CA Certificate Policy Version Number Issue Date Changed By 1.0 1 st April 2009 Original

SAFE HARBOR SAFE-BioPharma Association is certified compliant with the US Department of Commerce and European Union Safe Harbor requirements for the protection of personal data. SAFE-BioPharma s privacy

PUBLIC KEY INFRASTRUCTURE http://www.tutorialspoint.com/cryptography/public_key_infrastructure.htm Copyright tutorialspoint.com The most distinct feature of Public Key Infrastructure PKC is that it uses

GlobalSign Subscriber Agreement for DocumentSign Digital ID for Adobe Certified Document Services (CDS) Version 1.1 PLEASE READ THIS AGREEMENT CAREFULLY BEFORE USING THE DIGITAL CERTIFICATE ISSUED TO YOU

Introduction Symantec Managed PKI Service for Windows Service Description Symantec Managed PKI Service for Windows provides a flexible PKI platform to manage complete lifecycle of certificates, which includes:

CERTIFICATION PRACTICE STATEMENT Document version: 1.2 Date: 15 September 2007 OID for this CPS: None Information in this document is subject to change without notice. No part of this document may be copied,

CERTIFICATION PRACTICE STATEMENT UPDATE Reference: IZENPE-CPS UPDATE Version no: v 5.03 Date: 10th March 2015 IZENPE 2015 This document is the property of Izenpe. It may only be reproduced in its entirety.

THE WALT DISNEY COMPANY PUBLIC KEY INFRASTRUCTURE CERTIFICATE POLICY July 2011 Version 2.0 Copyright 2006-2011, The Walt Disney Company Version Control Version Revision Date Revision Description Revised

Krajowa Izba Rozliczeniowa S.A. CERTIFICATION POLICY OF KIR for TRUSTED NON-QUALIFIED CERTIFICATES Version 1.5 Document history Version Number Status Date of Issue 1.0 Document approved by the Management

USER AGREEMENT FOR: ELECTRONIC DEALINGS THROUGH THE CUSTOMS CONNECT FACILITY CONDITIONS OF USE FOR ELECTRONIC DEALINGS THROUGH THE CUSTOMS CONNECT FACILITY Between: the Commonwealth of Australia, acting

CHAPTER 267 AN ACT concerning third party administrators of health benefits plans and third party billing services and supplementing Title 17B of the New Jersey Statutes. BE IT ENACTED by the Senate and

Subscriber Agreement for (a) the e-id Account and (b) the Certificates within the National Electronic Identity Card Subscribers must carefully read the terms and conditions in this Subscriber Agreement

X.509 Certificate Policy for the Australian Department of Defence Individual Software Certificates (Medium Assurance) Version 4.0 May 2014 Notice to all parties seeking to rely Reliance on a Certificate

Procedures for the ICAO Public Key Directory last modification final 1/13 SECTION 1 INTRODUCTION 1.1 As part of the MRTD initiative by ICAO, the Participants will upload to and download from the PKD, their

CHARTERED PROFESSIONAL ACCOUNTANTS OF ONTARIO REGULATION 9-1 PUBLIC ACCOUNTING LICENSING Adopted by the Council pursuant to the Chartered Accountants Act, 2010, and the Bylaws on June 16, 2011, as amended

GlobalSign Subscriber Agreement for DomainSSL Certificates Version 1.3 PLEASE READ THIS AGREEMENT CAREFULLY BEFORE USING THE DIGITAL CERTIFICATE ISSUED TO YOU OR YOUR ORGANISATION. BY USING THE DIGITAL

SITHS Registration Authority Policy Version 1.0 Effective Date: Copyright 2013 All rights reserved. Copyright Notices No part of this publication may be reproduced, stored in or introduced into a retrieval